diff --git a/dev/translation/ignore_translation_keys.lst b/dev/translation/ignore_translation_keys.lst index 1bc5a71f9f8..ae23cb8e622 100644 --- a/dev/translation/ignore_translation_keys.lst +++ b/dev/translation/ignore_translation_keys.lst @@ -425,7 +425,6 @@ Gzip HTTPBasicPassword HelpAbandonProductReturned HideVersionLink -HolidayStarted Hook Hooks IBANNotDefined diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php index 2b7c52d15fe..35ab8395132 100644 --- a/htdocs/accountancy/admin/accountmodel.php +++ b/htdocs/accountancy/admin/accountmodel.php @@ -142,6 +142,7 @@ $tabrowid[31] = ""; $tabhelp = array(); $tabhelp[31] = array('pcg_version' => $langs->trans("EnterAnyCode")); +$permissiontoeditchart = $user->hasRight('accounting', 'chartofaccount'); /* @@ -301,7 +302,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) { } } -if ($action == 'confirm_delete' && $confirm == 'yes') { // delete +if ($action == 'confirm_delete' && $confirm == 'yes' && $permissiontoeditchart) { // delete if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { @@ -322,7 +323,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') { // delete } // activate -if ($action == 'activate') { +if ($action == 'activate' && $permissiontoeditchart) { $sql = "UPDATE ".$db->sanitize($tabname[$id])." SET active = 1 WHERE rowid = ".((int) $rowid); $result = $db->query($sql); if (!$result) { @@ -331,7 +332,7 @@ if ($action == 'activate') { } // disable -if ($action == $acts[1]) { +if ($action == $acts[1] && $permissiontoeditchart) { $sql = "UPDATE ".$db->sanitize($tabname[$id])." SET active = 0 WHERE rowid = ".((int) $rowid); $result = $db->query($sql); if (!$result) { diff --git a/htdocs/bom/bom_card.php b/htdocs/bom/bom_card.php index 7a252c9a4d3..20a517eb5c7 100644 --- a/htdocs/bom/bom_card.php +++ b/htdocs/bom/bom_card.php @@ -134,8 +134,9 @@ if (empty($reshook)) { // Actions cancel, add, update, delete or clone include DOL_DOCUMENT_ROOT.'/core/actions_addupdatedelete.inc.php'; + // The fetch/fetch_lines was redone into the inc.php so we must recall the calculateCosts() - if ($action == 'confirm_validate' && $object->id > 0) { + if ($action == 'confirm_validate' && $object->id > 0) { // Test on permission not required $object->calculateCosts(); } diff --git a/htdocs/bookcal/availabilities_card.php b/htdocs/bookcal/availabilities_card.php index fbe91e04399..a8f017a7bdc 100644 --- a/htdocs/bookcal/availabilities_card.php +++ b/htdocs/bookcal/availabilities_card.php @@ -122,6 +122,7 @@ if (!$permissiontoread) { /* * Actions */ + $error = 0; $parameters = array(); @@ -150,7 +151,7 @@ if (empty($reshook)) { $startyear = GETPOSTINT('startyear'); $starthour = GETPOSTINT('startHour'); - if (GETPOST('startHour') == "" && ($action == 'add' || $action == 'update')) { + if (GETPOST('startHour') == "" && ($action == 'add' || $action == 'update')) { // Test on permission not required $error++; setEventMessages($langs->trans("ErrorStartHourIsNull"), $hookmanager->errors, 'errors'); } @@ -162,7 +163,7 @@ if (empty($reshook)) { $endyear = GETPOSTINT('endyear'); $endhour = GETPOSTINT('endHour'); - if (GETPOST('endHour') == "" && ($action == 'add' || $action == 'update')) { + if (GETPOST('endHour') == "" && ($action == 'add' || $action == 'update')) { // Test on permission not required $error++; setEventMessages($langs->trans("ErrorEndHourIsNull"), $hookmanager->errors, 'errors'); } diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php index 18fba3e22ba..ef33d404774 100644 --- a/htdocs/comm/action/card.php +++ b/htdocs/comm/action/card.php @@ -1185,7 +1185,7 @@ if (empty($reshook) && $action == 'update' && $usercancreate) { } // Delete event -if (empty($reshook) && $action == 'confirm_delete' && GETPOST("confirm") == 'yes') { +if (empty($reshook) && $action == 'confirm_delete' && GETPOST("confirm") == 'yes' && $usercancreate) { $object->fetch($id); $object->fetch_optionals(); $object->fetch_userassigned(); @@ -1208,7 +1208,7 @@ if (empty($reshook) && $action == 'confirm_delete' && GETPOST("confirm") == 'yes * Action move update, used when user move an event in calendar by drag'n drop * TODO Move this into page comm/action/index that trigger this call by the drag and drop of event. */ -if (empty($reshook) && GETPOST('actionmove', 'alpha') == 'mupdate') { +if (empty($reshook) && GETPOST('actionmove', 'alpha') == 'mupdate' && $usercancreate) { $error = 0; $shour = (int) dol_print_date($object->datep, "%H", 'tzuserrel'); // We take the date visible by user $newdate is also date visible by user. diff --git a/htdocs/comm/card.php b/htdocs/comm/card.php index c312fe4e15c..adb4007337f 100644 --- a/htdocs/comm/card.php +++ b/htdocs/comm/card.php @@ -184,7 +184,7 @@ if (empty($reshook)) { } // set accountancy code - if ($action == 'setcustomeraccountancycodegeneral') { + if ($action == 'setcustomeraccountancycodegeneral' && $permissiontoadd) { $result = $object->fetch($id); $object->accountancy_code_customer_general = GETPOST("customeraccountancycodegeneral"); $result = $object->update($object->id, $user, 1, 1, 0); diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index d7856b1aad4..a0a2dfbfc8b 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -1211,11 +1211,8 @@ if (empty($reshook)) { } header('Location: ' . $_SERVER["PHP_SELF"] . '?id=' . $id); exit(); - } elseif ( - $action == 'addline' && !GETPOST('submitforalllines', 'alpha') - && !GETPOST('submitforallmargins', 'alpha') && !GETPOST('markforalllines', 'alpha') - && $usercancreate - ) { // Add line + } elseif ($action == 'addline' && !GETPOST('submitforalllines', 'alpha') && !GETPOST('submitforallmargins', 'alpha') && !GETPOST('markforalllines', 'alpha') && $usercancreate) { + // Add line // Set if we used free entry or predefined product $predef = ''; $line_desc = (GETPOSTISSET('dp_desc') ? GETPOST('dp_desc', 'restricthtml') : ''); diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index 63fb222ced4..ab59815860c 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -1954,12 +1954,8 @@ if (empty($reshook)) { } } - // add lines from objectlinked - if ( - $action == 'import_lines_from_object' - && $usercancreate - && $object->status == Commande::STATUS_DRAFT - ) { + // Add lines from objectlinked + if ($action == 'import_lines_from_object' && $usercancreate && $object->status == Commande::STATUS_DRAFT) { $fromElement = GETPOST('fromelement'); $fromElementid = GETPOST('fromelementid'); $importLines = GETPOST('line_checkbox'); diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index a5b77a213d9..24eaa010bf4 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -294,7 +294,7 @@ if (empty($reshook)) { setEventMessages($object->error, $object->errors, 'errors'); } } - } elseif ($action == 'confirm_delete' && $confirm == 'yes') { + } elseif ($action == 'confirm_delete' && $confirm == 'yes' && $usercandelete) { // Delete invoice $result = $object->fetch($id); $object->fetch_thirdparty(); @@ -649,13 +649,13 @@ if (empty($reshook)) { } } } - } elseif ($action == 'set_incoterms' && isModEnabled('incoterm') && $usercancreate) { // Set incoterm + } elseif ($action == 'set_incoterms' && isModEnabled('incoterm') && $usercancreate) { // Set incoterm $result = $object->setIncoterms(GETPOSTINT('incoterm_id'), GETPOST('location_incoterms')); - } elseif ($action == 'set_dispute_status' && $usercancreate) { // Set dispute status + } elseif ($action == 'set_dispute_status' && $usercancreate) { // Set dispute status $result = $object->setStatut(GETPOSTINT('dispute_status'), null, 'facture', 'FACTURE_MODIFY', 'dispute_status'); - } elseif ($action == 'settags' && isModEnabled('category')) { // Set tags + } elseif ($action == 'settags' && isModEnabled('category') && $usercancreate) { // Set tags $result = $object->setCategories(GETPOST('categories', 'array')); - } elseif ($action == 'setbankaccount' && $usercancreate) { // bank account + } elseif ($action == 'setbankaccount' && $usercancreate) { // Bank account $result = $object->setBankAccount(GETPOSTINT('fk_account')); } elseif ($action == 'setremisepercent' && $usercancreate) { $object->fetch($id); @@ -3528,7 +3528,7 @@ if (empty($reshook)) { if (empty($id)) { $id = $facid; } - if (!empty($object->id) && $action == 'send') { + if (!empty($object->id) && $action == 'send') { // Test on permission not required // load totalpaid, totaldeposits, totalcreditnotes that can be used in email templates $object->getSommePaiement(-1); $object->getSumCreditNotesUsed(-1); diff --git a/htdocs/compta/paiement.php b/htdocs/compta/paiement.php index 8302ebba222..c471cf0d36f 100644 --- a/htdocs/compta/paiement.php +++ b/htdocs/compta/paiement.php @@ -218,7 +218,7 @@ if (empty($reshook)) { /* * Action add_paiement */ - if ($action == 'add_paiement') { + if ($action == 'add_paiement') { // Test on permission not required if ($error) { $action = 'create'; } diff --git a/htdocs/compta/payment_vat/card.php b/htdocs/compta/payment_vat/card.php index 4d2b0747a16..271d0bb9146 100644 --- a/htdocs/compta/payment_vat/card.php +++ b/htdocs/compta/payment_vat/card.php @@ -91,14 +91,12 @@ $outputlangs = $langs; // Validate social contribution /* -if ($action == 'confirm_valide' && $confirm == 'yes' && $user->rights->tax->charges->creer) -{ +if ($action == 'confirm_valide' && $confirm == 'yes' && $user->hasRight('tax', 'charges', '>creer') { $db->begin(); $result=$object->valide(); - if ($result > 0) - { + if ($result > 0) { $db->commit(); $factures=array(); // TODO Get all id of invoices linked to this payment @@ -120,9 +118,7 @@ if ($action == 'confirm_valide' && $confirm == 'yes' && $user->rights->tax->char header('Location: card.php?id='.$object->id); exit; - } - else - { + } else { setEventMessages($object->error, $object->errors, 'errors'); $db->rollback(); } diff --git a/htdocs/core/class/dolgeoip.class.php b/htdocs/core/class/dolgeoip.class.php index e6dea00c468..54b29653784 100644 --- a/htdocs/core/class/dolgeoip.class.php +++ b/htdocs/core/class/dolgeoip.class.php @@ -72,7 +72,7 @@ class DolGeoIP if (function_exists('stream_wrapper_restore')) { stream_wrapper_restore('phar'); } - require_once DOL_DOCUMENT_ROOT.'/includes/geoip2/geoip2.phar'; + include_once DOL_DOCUMENT_ROOT.'/includes/geoip2/geoip2.phar'; } } elseif ($type == 'city') { // geoip may have been already included with PEAR @@ -80,7 +80,7 @@ class DolGeoIP if (function_exists('stream_wrapper_restore')) { stream_wrapper_restore('phar'); } - require_once DOL_DOCUMENT_ROOT.'/includes/geoip2/geoip2.phar'; + include_once DOL_DOCUMENT_ROOT.'/includes/geoip2/geoip2.phar'; } } else { print 'ErrorBadParameterInConstructor'; diff --git a/htdocs/core/photos_resize.php b/htdocs/core/photos_resize.php index be9889cb78d..89ed0fe99d2 100644 --- a/htdocs/core/photos_resize.php +++ b/htdocs/core/photos_resize.php @@ -418,8 +418,8 @@ if ($action == 'confirm_resize' && GETPOSTISSET("file") && GETPOSTISSET("sizex") } } -// Crop d'une image -if ($action == 'confirm_crop') { +// Crop if image +if ($action == 'confirm_crop') { // Test on permission already done if (empty($dir)) { print 'Bug: Value for $dir could not be defined.'; } diff --git a/htdocs/delivery/card.php b/htdocs/delivery/card.php index c25342438d2..2d261aadf88 100644 --- a/htdocs/delivery/card.php +++ b/htdocs/delivery/card.php @@ -214,7 +214,7 @@ if ($action == 'setdate_delivery' && $permissiontoadd) { if ($result < 0) { $mesg = '
'.$object->error.'
'; } -} elseif ($action == 'set_incoterms' && isModEnabled('incoterm')) { +} elseif ($action == 'set_incoterms' && isModEnabled('incoterm') && $permissiontoadd) { // Set incoterm $result = $object->setIncoterms(GETPOSTINT('incoterm_id'), GETPOST('location_incoterms')); } diff --git a/htdocs/eventorganization/conferenceorbooth_list.php b/htdocs/eventorganization/conferenceorbooth_list.php index dc55fee80b9..4efcbf4a96d 100644 --- a/htdocs/eventorganization/conferenceorbooth_list.php +++ b/htdocs/eventorganization/conferenceorbooth_list.php @@ -184,10 +184,7 @@ if (preg_match('/^set/', $action) && ($projectid > 0 || $projectref) && $user->h } } } -/*if ($action=='setaccept_conference_suggestions' && !empty(GETPOST('cancel', 'alpha'))) { -}*/ -//setaccept_booth_suggestions if (GETPOST('cancel', 'alpha')) { $action = 'list'; $massaction = ''; @@ -200,8 +197,6 @@ if (!GETPOST('confirmmassaction', 'alpha') && $massaction != 'presend' } - - $parameters = array(); $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks if ($reshook < 0) { diff --git a/htdocs/expedition/card.php b/htdocs/expedition/card.php index 350cfc14b5b..4b5235badae 100644 --- a/htdocs/expedition/card.php +++ b/htdocs/expedition/card.php @@ -637,27 +637,27 @@ if (empty($reshook)) { // Action update $error = 0; - if ($action == 'settracking_number') { + if ($action == 'settracking_number') { // Test on permission not required $object->tracking_number = trim(GETPOST('tracking_number', 'alpha')); } - if ($action == 'settracking_url') { + if ($action == 'settracking_url') { // Test on permission not required $object->tracking_url = trim(GETPOST('tracking_url', 'restricthtml')); } - if ($action == 'settrueWeight') { + if ($action == 'settrueWeight') { // Test on permission not required $object->trueWeight = GETPOSTINT('trueWeight'); $object->weight_units = GETPOSTINT('weight_units'); } - if ($action == 'settrueWidth') { + if ($action == 'settrueWidth') { // Test on permission not required $object->trueWidth = GETPOSTINT('trueWidth'); } - if ($action == 'settrueHeight') { + if ($action == 'settrueHeight') { // Test on permission not required $object->trueHeight = GETPOSTINT('trueHeight'); $object->size_units = GETPOSTINT('size_units'); } - if ($action == 'settrueDepth') { + if ($action == 'settrueDepth') { // Test on permission not required $object->trueDepth = GETPOSTINT('trueDepth'); } - if ($action == 'setshipping_method_id') { + if ($action == 'setshipping_method_id') { // Test on permission not required $object->shipping_method_id = GETPOSTINT('shipping_method_id'); } diff --git a/htdocs/expedition/shipment.php b/htdocs/expedition/shipment.php index e091f457068..ea69096110e 100644 --- a/htdocs/expedition/shipment.php +++ b/htdocs/expedition/shipment.php @@ -171,7 +171,7 @@ if (empty($reshook)) { if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); } - } elseif ($action == 'set_incoterms' && isModEnabled('incoterm')) { + } elseif ($action == 'set_incoterms' && isModEnabled('incoterm') && $permissiontoadd) { // Set incoterm $result = $object->setIncoterms(GETPOSTINT('incoterm_id'), GETPOST('location_incoterms')); if ($result < 0) { diff --git a/htdocs/fourn/facture/card.php b/htdocs/fourn/facture/card.php index fcec106f314..ef17ff93e4c 100644 --- a/htdocs/fourn/facture/card.php +++ b/htdocs/fourn/facture/card.php @@ -467,7 +467,8 @@ if (empty($reshook)) { } elseif ($action == 'set_incoterms' && isModEnabled('incoterm') && $usercancreate) { // Set incoterm $result = $object->setIncoterms(GETPOSTINT('incoterm_id'), GETPOST('location_incoterms')); - } elseif ($action == 'settags' && isModEnabled('category')) { // Set tags + } elseif ($action == 'settags' && isModEnabled('category') && $usercancreate) { + // Set tags $result = $object->setCategories(GETPOST('categories', 'array')); } elseif ($action == 'setmode' && $usercancreate) { // payment mode diff --git a/htdocs/fourn/facture/paiement.php b/htdocs/fourn/facture/paiement.php index f4966d1f6ef..e5117c0c93b 100644 --- a/htdocs/fourn/facture/paiement.php +++ b/htdocs/fourn/facture/paiement.php @@ -270,7 +270,7 @@ if (empty($reshook)) { /* * Action add_paiement */ - if ($action == 'add_paiement') { + if ($action == 'add_paiement') { // Test on permission not required if ($error) { $action = 'create'; } @@ -281,7 +281,7 @@ if (empty($reshook)) { /* * Action confirm_paiement */ - if ($action == 'confirm_paiement' && $confirm == 'yes') { + if ($action == 'confirm_paiement' && $confirm == 'yes' && $permissiontoadd) { $datepaye = dol_mktime(12, 0, 0, GETPOSTINT('remonth'), GETPOSTINT('reday'), GETPOSTINT('reyear')); $multicurrency_code = array(); diff --git a/htdocs/holiday/card.php b/htdocs/holiday/card.php index 2eeb14b3141..ba283923276 100644 --- a/htdocs/holiday/card.php +++ b/htdocs/holiday/card.php @@ -132,7 +132,7 @@ $candelete = 0; if ($user->hasRight('holiday', 'delete')) { $candelete = 1; } -if ($object->status == Holiday::STATUS_DRAFT && $user->hasRight('holiday', 'write') && in_array($object->fk_user, $childids)) { +if (($object->status == Holiday::STATUS_DRAFT || $object->status == Holiday::STATUS_CANCELED || $object->status == Holiday::STATUS_REFUSED) && $user->hasRight('holiday', 'write') && in_array($object->fk_user, $childids)) { $candelete = 1; } @@ -618,11 +618,11 @@ if (empty($reshook)) { } // Approve leave request - if ($action == 'confirm_valid') { + if ($action == 'confirm_valid' && $permissiontoapprove) { // Test on permission done later $object->fetch($id); // If status is waiting approval and approver is also user - if ($object->status == Holiday::STATUS_VALIDATED && ($user->id == $object->fk_validator || $permissiontoaddall) && $user->hasRight('holiday', 'approve')) { + if ($object->status == Holiday::STATUS_VALIDATED && ($user->id == $object->fk_validator || $permissiontoaddall) && $permissiontoapprove) { $object->oldcopy = dol_clone($object, 2); // @phan-suppress-current-line PhanTypeMismatchProperty $object->date_approval = dol_now(); @@ -726,12 +726,12 @@ if (empty($reshook)) { } } - if ($action == 'confirm_refuse' && GETPOST('confirm', 'alpha') == 'yes') { + if ($action == 'confirm_refuse' && GETPOST('confirm', 'alpha') == 'yes' && $permissiontoapprove) { // Test on permission done later if (GETPOST('detail_refuse')) { $object->fetch($id); // If status pending validation and validator = user - if ($object->status == Holiday::STATUS_VALIDATED && ($user->id == $object->fk_validator || $permissiontoaddall) && $user->hasRight('holiday', 'approve')) { + if ($object->status == Holiday::STATUS_VALIDATED && ($user->id == $object->fk_validator || $permissiontoaddall) && $permissiontoapprove) { $object->date_refuse = dol_now(); $object->fk_user_refuse = $user->id; $object->statut = Holiday::STATUS_REFUSED; @@ -819,7 +819,7 @@ if (empty($reshook)) { // If the request is validated - if ($action == 'confirm_draft' && GETPOST('confirm') == 'yes') { + if ($action == 'confirm_draft' && GETPOST('confirm') == 'yes' && $permissiontoadd) { // Test on permission done later $error = 0; $object->fetch($id); @@ -845,14 +845,14 @@ if (empty($reshook)) { } // If confirmation of cancellation - if ($action == 'confirm_cancel' && GETPOST('confirm') == 'yes') { + if ($action == 'confirm_cancel' && GETPOST('confirm') == 'yes') { // Test on permission done later $error = 0; $object->fetch($id); // If status pending validation and validator = validator or user, or rights to do for others if (($object->status == Holiday::STATUS_VALIDATED || $object->status == Holiday::STATUS_APPROVED) && - (!empty($user->admin) || $user->id == $object->fk_validator || $permissiontoadd || $permissiontoaddall)) { + ($user->id == $object->fk_validator || $permissiontoadd || $permissiontoaddall || $permissiontoapprove)) { $db->begin(); $oldstatus = $object->status; @@ -1503,7 +1503,7 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add') { if (empty($include_users)) { print img_warning().' '.$langs->trans("NobodyHasPermissionToValidateHolidays"); } else { - $arrayofvalidatorstoexclude = (($user->admin || ($user->id != $userRequest->id)) ? '' : array($user->id)); // Nobody if we are admin or if we are not the user of the leave. + $arrayofvalidatorstoexclude = (($user->admin || ($user->id != $userRequest->id)) ? '' : array($user->id)); // We exclude ourself from validator list. Not if we are admin or if we are on the leave of someone else $s = $form->select_dolusers($object->fk_validator, "valideur", (($action == 'editvalidator') ? 0 : 1), $arrayofvalidatorstoexclude, 0, $include_users); print $form->textwithpicto($s, $langs->trans("AnyOtherInThisListCanValidate")); } @@ -1606,7 +1606,7 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add') { if ($object->status == Holiday::STATUS_VALIDATED) { // If validated // Button Approve / Refuse - if (($user->id == $object->fk_validator || $permissiontoaddall) && $user->hasRight('holiday', 'approve')) { + if (($user->id == $object->fk_validator || $permissiontoaddall) && $permissiontoapprove) { print ''.$langs->trans("Approve").''; print ''.$langs->trans("ActionRefuseCP").''; } else { @@ -1618,31 +1618,31 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add') { if (($object->date_fin > dol_now()) || !empty($user->admin)) { print ''.$langs->trans("ActionCancelCP").''; } else { - print 'trans("NotAllowed").'">'.$langs->trans("ActionCancelCP").''; + print 'trans("NotAllowed").'">'.$langs->trans("ActionCancelCP").''; } } } } if ($object->status == Holiday::STATUS_APPROVED) { // If validated and approved - if ($user->id == $object->fk_validator || $user->id == $object->fk_user_approve || $permissiontoadd || $permissiontoaddall) { - if (($object->date_fin > dol_now()) || !empty($user->admin) || $user->id == $object->fk_user_approve) { + if ($user->id == $object->fk_validator || $user->id == $object->fk_user_approve || $permissiontoadd || $permissiontoaddall || $permissiontoapprove) { + if (($object->date_fin > dol_now()) || $permissiontoapprove || $user->id == $object->fk_user_approve) { print ''.$langs->trans("ActionCancelCP").''; } else { - print 'trans("NotAllowed").'">'.$langs->trans("ActionCancelCP").''; + if ($object->date_fin <= dol_now() && $permissiontoapprove) { + print ''.$langs->trans("ActionCancelCP").''; + } else { + print 'trans("NotAllowed").'">'.$langs->trans("ActionCancelCP").''; + } } } else { // I have no rights on the user of the holiday. - if (!empty($user->admin)) { // If current approver can't cancel an approved leave, we allow admin user - print ''.$langs->trans("ActionCancelCP").''; - } else { - print ''.$langs->trans("ActionCancelCP").''; - } + print ''.$langs->trans("ActionCancelCP").''; } } if (($permissiontoadd || $permissiontoaddall) && $object->status == Holiday::STATUS_CANCELED) { print ''.$langs->trans("SetToDraft").''; } - if ($candelete && ($object->status == Holiday::STATUS_DRAFT || $object->status == Holiday::STATUS_CANCELED || $object->status == Holiday::STATUS_REFUSED)) { // If draft or canceled or refused + if ($candelete) { // If draft or canceled or refused print ''.$langs->trans("DeleteCP").''; } diff --git a/htdocs/hrm/evaluation_card.php b/htdocs/hrm/evaluation_card.php index bfd3a62ee85..8206afc6289 100644 --- a/htdocs/hrm/evaluation_card.php +++ b/htdocs/hrm/evaluation_card.php @@ -130,7 +130,7 @@ if (empty($reshook)) { if (empty($backtopage) || ($cancel && empty($id))) { if (empty($backtopage) || ($cancel && strpos($backtopage, '__ID__'))) { - if (empty($id) && (($action != 'add' && $action != 'create') || $cancel)) { + if (empty($id) && (($action != 'add' && $action != 'create') || $cancel)) { // Test on permission not required $backtopage = $backurlforlist; } else { $backtopage = dol_buildpath('/hrm/evaluation_card.php', 1).'?id='.($id > 0 ? $id : '__ID__'); @@ -166,7 +166,7 @@ if (empty($reshook)) { $trackid = 'evaluation'.$object->id; include DOL_DOCUMENT_ROOT.'/core/actions_sendmails.inc.php'; - if ($action == 'saveSkill') { + if ($action == 'saveSkill' && $permissiontoadd) { $TNote = GETPOST('TNote', 'array'); if (!empty($TNote)) { foreach ($object->lines as $line) { diff --git a/htdocs/hrm/job_card.php b/htdocs/hrm/job_card.php index a10f46c5f34..0b9da0b3a95 100644 --- a/htdocs/hrm/job_card.php +++ b/htdocs/hrm/job_card.php @@ -124,7 +124,7 @@ if (empty($reshook)) { if (empty($backtopage) || ($cancel && empty($id))) { if (empty($backtopage) || ($cancel && strpos($backtopage, '__ID__'))) { - if (empty($id) && (($action != 'add' && $action != 'create') || $cancel)) { + if (empty($id) && (($action != 'add' && $action != 'create') || $cancel)) { // Test on permission not required $backtopage = $backurlforlist; } else { $backtopage = dol_buildpath('/hrm/job_card.php', 1) . '?id=' . ($id > 0 ? $id : '__ID__'); @@ -165,7 +165,7 @@ if (empty($reshook)) { $trackid = 'job' . $object->id; include DOL_DOCUMENT_ROOT . '/core/actions_sendmails.inc.php'; - if ($action == 'confirm_clone' && $confirm != 'yes') { + if ($action == 'confirm_clone' && $confirm != 'yes') { // Test on permission not required $action = ''; } diff --git a/htdocs/hrm/skill_card.php b/htdocs/hrm/skill_card.php index 5cfd35c43bb..b22887a87a6 100644 --- a/htdocs/hrm/skill_card.php +++ b/htdocs/hrm/skill_card.php @@ -193,8 +193,6 @@ if (empty($reshook)) { } - - // Actions when linking object each other include DOL_DOCUMENT_ROOT . '/core/actions_dellink.inc.php'; @@ -220,7 +218,7 @@ if (empty($reshook)) { $trackid = 'skill' . $object->id; include DOL_DOCUMENT_ROOT . '/core/actions_sendmails.inc.php'; - if ($action == 'confirm_clone' && $confirm != 'yes') { + if ($action == 'confirm_clone' && $confirm != 'yes') { // Test on permission not required $action = ''; } diff --git a/htdocs/imports/import.php b/htdocs/imports/import.php index 0afe156a868..c07522ebcb5 100644 --- a/htdocs/imports/import.php +++ b/htdocs/imports/import.php @@ -248,7 +248,7 @@ if ($step == 3 && $datatoimport) { } // Delete file - if ($action == 'confirm_deletefile' && $confirm == 'yes') { + if ($action == 'confirm_deletefile' && $confirm == 'yes' && $user->hasRight('import', 'run')) { $langs->load("other"); $param = '&datatoimport='.urlencode($datatoimport).'&format='.urlencode($format); diff --git a/htdocs/knowledgemanagement/knowledgerecord_card.php b/htdocs/knowledgemanagement/knowledgerecord_card.php index 77278834407..ddb2a0b6995 100644 --- a/htdocs/knowledgemanagement/knowledgerecord_card.php +++ b/htdocs/knowledgemanagement/knowledgerecord_card.php @@ -161,10 +161,11 @@ if (empty($reshook)) { $trackid = 'knowledgerecord'.$object->id; include DOL_DOCUMENT_ROOT.'/core/actions_sendmails.inc.php'; } -if ($action == 'confirm_validate') { +if ($action == 'confirm_validate') { // Test on permission already done into actions_addupdatedelete.inc.php $action = 'edit'; } + /* * View */ diff --git a/htdocs/langs/en_US/holiday.lang b/htdocs/langs/en_US/holiday.lang index 1be2be1cfba..51c97c042bd 100644 --- a/htdocs/langs/en_US/holiday.lang +++ b/htdocs/langs/en_US/holiday.lang @@ -2,6 +2,7 @@ HRM=HRM Holidays=Leaves Holiday=Leave +HolidayStarted=Leave started CPTitreMenu=Leave MenuReportMonth=Monthly statement MenuAddCP=New leave request diff --git a/htdocs/mrp/mo_list.php b/htdocs/mrp/mo_list.php index 2ea2f8f2289..c712d5998fc 100644 --- a/htdocs/mrp/mo_list.php +++ b/htdocs/mrp/mo_list.php @@ -255,14 +255,14 @@ if (empty($reshook)) { if ($objMo->fetch($idMo)) { if ($objMo->status == Mo::STATUS_DRAFT) { if (!empty($changeDate)) { - if ($action == 'changedatestart_confirm') { + if ($action == 'changedatestart_confirm') { // Test on permission not required if ($newDate < $objMo->date_end_planned) { $objMo->date_start_planned = $newDate; } else { setEventMessages($langs->trans('ErrorModifyMoDateStart', $objMo->ref), null, 'errors'); break; } - } elseif ($action == 'changedateend_confirm') { + } elseif ($action == 'changedateend_confirm') { // Test on permission not required if ($newDate > $objMo->date_start_planned) { $objMo->date_end_planned = $newDate; } else { diff --git a/htdocs/mrp/mo_movements.php b/htdocs/mrp/mo_movements.php index a10224431d0..1b180055b9c 100644 --- a/htdocs/mrp/mo_movements.php +++ b/htdocs/mrp/mo_movements.php @@ -254,7 +254,7 @@ if (empty($reshook)) { $object->setProject(GETPOSTINT('projectid')); } - if ($action == 'confirm_reopen') { + if ($action == 'confirm_reopen' && $permissiontoadd) { $result = $object->setStatut($object::STATUS_INPROGRESS, 0, '', 'MRP_REOPEN'); } } diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 7cb28ccc45d..ae9cc460a94 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -962,7 +962,7 @@ if (empty($reshook)) { } // Action clone object - if ($action == 'confirm_clone' && $confirm != 'yes') { + if ($action == 'confirm_clone' && $confirm != 'yes') { // Test on permission not required $action = ''; } if ($action == 'confirm_clone' && $confirm == 'yes' && $usercancreate) { @@ -1087,7 +1087,7 @@ if (empty($reshook)) { } // Delete a product - if ($action == 'confirm_delete' && $confirm != 'yes') { + if ($action == 'confirm_delete' && $confirm != 'yes') { // Test on permission not required $action = ''; } if ($action == 'confirm_delete' && $confirm == 'yes' && $usercandelete) { diff --git a/htdocs/product/price.php b/htdocs/product/price.php index b0c1fe9a8b9..59ba01bdffe 100644 --- a/htdocs/product/price.php +++ b/htdocs/product/price.php @@ -110,6 +110,13 @@ if ($object->id > 0) { $maxpricesupplier = 0; +if ($object->id > 0) { + $permissiontoadd = $object->getRights()->creer; +} else { + $permissiontoadd = ($user->hasRight('produit', 'creer') || $user->hasRight('service', 'creer')); +} + + /* * Actions */ @@ -136,7 +143,7 @@ if (empty($reshook)) { $action = ''; } - if (($action == 'update_vat') && !$cancel && ($user->hasRight('produit', 'creer') || $user->hasRight('service', 'creer'))) { + if (($action == 'update_vat') && !$cancel && $permissiontoadd) { $tva_tx_txt = GETPOST('tva_tx', 'alpha'); // tva_tx can be '8.5' or '8.5*' or '8.5 (XXX)' or '8.5* (XXX)' $price_label = GETPOST('price_label', 'alpha'); @@ -278,7 +285,7 @@ if (empty($reshook)) { $maxpricesupplier = 0; - if (($action == 'update_price' || $action == 'update_level_price') && !$cancel && $object->getRights()->creer) { + if (($action == 'update_price' || $action == 'update_level_price') && !$cancel && $permissiontoadd) { $error = 0; $pricestoupdate = array(); @@ -305,7 +312,8 @@ if (empty($reshook)) { } // Multiprices - if (!$error && (getDolGlobalString('PRODUIT_MULTIPRICES') || getDolGlobalString('PRODUIT_CUSTOMER_PRICES_BY_QTY_MULTIPRICES') || ($action == 'update_level_price' && getDolGlobalString('PRODUIT_CUSTOMER_PRICES_AND_MULTIPRICES')))) { + if (!$error && (getDolGlobalString('PRODUIT_MULTIPRICES') || getDolGlobalString('PRODUIT_CUSTOMER_PRICES_BY_QTY_MULTIPRICES') + || ($action == 'update_level_price' && getDolGlobalString('PRODUIT_CUSTOMER_PRICES_AND_MULTIPRICES')))) { // Test on permission already done $newprice = GETPOST('price', 'array'); $newprice_min = GETPOST('price_min', 'array'); $newpricebase = GETPOST('multiprices_base_type', 'array'); @@ -627,7 +635,7 @@ if (empty($reshook)) { } // Set Price by quantity - if ($action == 'activate_price_by_qty') { + if ($action == 'activate_price_by_qty' && $permissiontoadd) { // Activating product price by quantity add a new price line with price_by_qty set to 1 $level = GETPOSTINT('level'); $basePrice = ($object->price_base_type == 'HT') ? $object->price : $object->price_ttc; @@ -639,7 +647,7 @@ if (empty($reshook)) { } } // Unset Price by quantity - if ($action == 'disable_price_by_qty') { + if ($action == 'disable_price_by_qty' && $permissiontoadd) { // Disabling product price by quantity add a new price line with price_by_qty set to 0 $level = GETPOSTINT('level'); $basePrice = ($object->price_base_type == 'HT') ? $object->price : $object->price_ttc; @@ -651,12 +659,12 @@ if (empty($reshook)) { } } - if ($action == 'edit_price_by_qty') { // Edition d'un prix par quantité + if ($action == 'edit_price_by_qty') { // Test on permission not required $rowid = GETPOSTINT('rowid'); } // Add or update price by quantity - if ($action == 'update_price_by_qty') { + if ($action == 'update_price_by_qty' && $permissiontoadd) { // Récupération des variables $rowid = GETPOSTINT('rowid'); $priceid = GETPOSTINT('priceid'); @@ -713,7 +721,7 @@ if (empty($reshook)) { } } - if ($action == 'delete_price_by_qty') { + if ($action == 'delete_price_by_qty' && $permissiontoadd) { $rowid = GETPOSTINT('rowid'); if (!empty($rowid)) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."product_price_by_qty"; @@ -725,7 +733,7 @@ if (empty($reshook)) { } } - if ($action == 'delete_all_price_by_qty') { + if ($action == 'delete_all_price_by_qty' && $permissiontoadd) { $priceid = GETPOSTINT('priceid'); if (!empty($rowid)) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."product_price_by_qty"; diff --git a/htdocs/product/stock/massstockmove.php b/htdocs/product/stock/massstockmove.php index 2b764148490..9025f1351a4 100644 --- a/htdocs/product/stock/massstockmove.php +++ b/htdocs/product/stock/massstockmove.php @@ -103,6 +103,8 @@ if (!empty($_SESSION['massstockmove'])) { $error = 0; +$permissiontodelete = $user->hasRight('stock', 'mouvement', 'creer'); + /* * Actions @@ -526,17 +528,9 @@ if ($action == 'importCSV' && $user->hasRight('stock', 'mouvement', 'creer')) { $_SESSION['massstockmove'] = json_encode($listofdata); } -if ($action == 'confirm_deletefile' && $confirm == 'yes') { +if ($action == 'confirm_deletefile' && $confirm == 'yes' && $permissiontodelete) { $langs->load("other"); - $param = '&datatoimport='.urlencode($datatoimport).'&format='.urlencode($format); - if ($excludefirstline) { - $param .= '&excludefirstline='.urlencode($excludefirstline); - } - if ($endatlinenb) { - $param .= '&endatlinenb='.urlencode($endatlinenb); - } - $file = $conf->stock->dir_temp.'/'.GETPOST('urlfile'); $ret = dol_delete_file($file); if ($ret) { diff --git a/htdocs/product/stock/stocktransfer/stocktransfer_card.php b/htdocs/product/stock/stocktransfer/stocktransfer_card.php index fb91e6d716e..f078d5c02c1 100644 --- a/htdocs/product/stock/stocktransfer/stocktransfer_card.php +++ b/htdocs/product/stock/stocktransfer/stocktransfer_card.php @@ -286,114 +286,112 @@ if (empty($reshook)) { } } - if ($permissiontoadd) { - // Décrémentation - if ($action == 'confirm_destock' && $confirm == 'yes' && $object->status == $object::STATUS_VALIDATED) { - $lines = $object->getLinesArray(); - if (!empty($lines)) { - $db->begin(); - foreach ($lines as $line) { - $res = $line->doStockMovement($label, $code_inv, $line->fk_warehouse_source); - if ($res < 0) { - $error++; - setEventMessages($line->error, $line->errors, 'errors'); - } - } - if (empty($error)) { - $db->commit(); - } else { - $db->rollback(); + // Decrease + if ($action == 'confirm_destock' && $confirm == 'yes' && $object->status == $object::STATUS_VALIDATED && $permissiontoadd) { + $lines = $object->getLinesArray(); + if (!empty($lines)) { + $db->begin(); + foreach ($lines as $line) { + $res = $line->doStockMovement($label, $code_inv, $line->fk_warehouse_source); + if ($res < 0) { + $error++; + setEventMessages($line->error, $line->errors, 'errors'); } } if (empty($error)) { - $object->setStatut($object::STATUS_TRANSFERED, $id); - $object->status = $object::STATUS_TRANSFERED; - $object->date_reelle_depart = dol_now(); - $object->update($user); - setEventMessage('StockStransferDecremented'); + $db->commit(); + } else { + $db->rollback(); } } + if (empty($error)) { + $object->setStatut($object::STATUS_TRANSFERED, $id); + $object->status = $object::STATUS_TRANSFERED; + $object->date_reelle_depart = dol_now(); + $object->update($user); + setEventMessage('StockStransferDecremented'); + } + } - // Annulation décrémentation - if ($action == 'confirm_destockcancel' && $confirm == 'yes' && $object->status == $object::STATUS_TRANSFERED) { - $lines = $object->getLinesArray(); - if (!empty($lines)) { - $db->begin(); - foreach ($lines as $line) { - $res = $line->doStockMovement($label, $code_inv, $line->fk_warehouse_source, 0); - if ($res <= 0) { - $error++; - setEventMessages($line->error, $line->errors, 'errors'); - } - } - if (empty($error)) { - $db->commit(); - } else { - $db->rollback(); + // Annulation décrémentation + if ($action == 'confirm_destockcancel' && $confirm == 'yes' && $object->status == $object::STATUS_TRANSFERED && $permissiontoadd) { + $lines = $object->getLinesArray(); + if (!empty($lines)) { + $db->begin(); + foreach ($lines as $line) { + $res = $line->doStockMovement($label, $code_inv, $line->fk_warehouse_source, 0); + if ($res <= 0) { + $error++; + setEventMessages($line->error, $line->errors, 'errors'); } } if (empty($error)) { - $object->setStatut($object::STATUS_VALIDATED, $id); - $object->status = $object::STATUS_VALIDATED; - $object->date_reelle_depart = null; - $object->update($user); - setEventMessage('StockStransferDecrementedCancel', 'warnings'); + $db->commit(); + } else { + $db->rollback(); } } + if (empty($error)) { + $object->setStatut($object::STATUS_VALIDATED, $id); + $object->status = $object::STATUS_VALIDATED; + $object->date_reelle_depart = null; + $object->update($user); + setEventMessage('StockStransferDecrementedCancel', 'warnings'); + } + } - // Incrémentation - if ($action == 'confirm_addstock' && $confirm == 'yes' && $object->status == $object::STATUS_TRANSFERED) { - $lines = $object->getLinesArray(); - if (!empty($lines)) { - $db->begin(); - foreach ($lines as $line) { - $res = $line->doStockMovement($label, $code_inv, $line->fk_warehouse_destination, 0); - if ($res <= 0) { - $error++; - setEventMessages($line->error, $line->errors, 'errors'); - } - } - if (empty($error)) { - $db->commit(); - } else { - $db->rollback(); + // Incrémentation + if ($action == 'confirm_addstock' && $confirm == 'yes' && $object->status == $object::STATUS_TRANSFERED && $permissiontoadd) { + $lines = $object->getLinesArray(); + if (!empty($lines)) { + $db->begin(); + foreach ($lines as $line) { + $res = $line->doStockMovement($label, $code_inv, $line->fk_warehouse_destination, 0); + if ($res <= 0) { + $error++; + setEventMessages($line->error, $line->errors, 'errors'); } } if (empty($error)) { - $object->setStatut($object::STATUS_CLOSED, $id); - $object->status = $object::STATUS_CLOSED; - $object->date_reelle_arrivee = dol_now(); - $object->update($user); - setEventMessage('StockStransferIncrementedShort'); + $db->commit(); + } else { + $db->rollback(); } } + if (empty($error)) { + $object->setStatut($object::STATUS_CLOSED, $id); + $object->status = $object::STATUS_CLOSED; + $object->date_reelle_arrivee = dol_now(); + $object->update($user); + setEventMessage('StockStransferIncrementedShort'); + } + } - // Annulation incrémentation - if ($action == 'confirm_addstockcancel' && $confirm == 'yes' && $object->status == $object::STATUS_CLOSED) { - $lines = $object->getLinesArray(); - if (!empty($lines)) { - $db->begin(); - foreach ($lines as $line) { - $res = $line->doStockMovement($label, $code_inv, $line->fk_warehouse_destination); - if ($res <= 0) { - $error++; - setEventMessages($line->error, $line->errors, 'errors'); - } - } - if (empty($error)) { - $db->commit(); - } else { - $db->rollback(); + // Annulation incrémentation + if ($action == 'confirm_addstockcancel' && $confirm == 'yes' && $object->status == $object::STATUS_CLOSED && $permissiontoadd) { + $lines = $object->getLinesArray(); + if (!empty($lines)) { + $db->begin(); + foreach ($lines as $line) { + $res = $line->doStockMovement($label, $code_inv, $line->fk_warehouse_destination); + if ($res <= 0) { + $error++; + setEventMessages($line->error, $line->errors, 'errors'); } } if (empty($error)) { - $object->setStatut($object::STATUS_TRANSFERED, $id); - $object->status = $object::STATUS_TRANSFERED; - $object->date_reelle_arrivee = null; - $object->update($user); - setEventMessage('StockStransferIncrementedShortCancel', 'warnings'); + $db->commit(); + } else { + $db->rollback(); } } + if (empty($error)) { + $object->setStatut($object::STATUS_TRANSFERED, $id); + $object->status = $object::STATUS_TRANSFERED; + $object->date_reelle_arrivee = null; + $object->update($user); + setEventMessage('StockStransferIncrementedShortCancel', 'warnings'); + } } // Set incoterm diff --git a/htdocs/projet/tasks/task.php b/htdocs/projet/tasks/task.php index 4dc8f432cbd..ccdd9881d7e 100644 --- a/htdocs/projet/tasks/task.php +++ b/htdocs/projet/tasks/task.php @@ -180,7 +180,7 @@ if ($action == 'confirm_merge' && $confirm == 'yes' && $user->hasRight('projet', } } -if ($action == 'confirm_clone' && $confirm == 'yes') { +if ($action == 'confirm_clone' && $confirm == 'yes' && $user->hasRight('projet', 'creer')) { //$clone_contacts = GETPOST('clone_contacts') ? 1 : 0; $clone_prog = GETPOST('clone_prog') ? 1 : 0; $clone_time = GETPOST('clone_time') ? 1 : 0; diff --git a/htdocs/projet/tasks/time.php b/htdocs/projet/tasks/time.php index ad8451c6659..74338e03b61 100644 --- a/htdocs/projet/tasks/time.php +++ b/htdocs/projet/tasks/time.php @@ -417,7 +417,7 @@ if ($id <= 0 && $projectidforalltimes == 0) { $allprojectforuser = $user->id; } -if ($action == 'confirm_generateinvoice') { +if ($action == 'confirm_generateinvoice' && $user->hasRight('facture', 'creer')) { if (!empty($projectstatic->socid)) { $projectstatic->fetch_thirdparty(); } @@ -799,7 +799,7 @@ if ($action == 'confirm_generateinvoice') { } } -if ($action == 'confirm_generateinter') { +if ($action == 'confirm_generateinter' && $user->hasRight('fichinter', 'creer')) { $langs->load('interventions'); if (!empty($projectstatic->socid)) { diff --git a/htdocs/reception/card.php b/htdocs/reception/card.php index 825590bfadc..3338350dc1e 100644 --- a/htdocs/reception/card.php +++ b/htdocs/reception/card.php @@ -550,36 +550,31 @@ if (empty($reshook)) { if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); } - } elseif (($action == 'settracking_number' || $action == 'settracking_url' - || $action == 'settrueWeight' - || $action == 'settrueWidth' - || $action == 'settrueHeight' - || $action == 'settrueDepth' - || $action == 'setshipping_method_id') && $permissiontoadd) { + } elseif (in_array($action, array('settracking_number', 'settracking_url', 'settrueWeight', 'settrueWidth', 'settrueHeight', 'settrueDepth', 'setshipping_method_id')) && $permissiontoadd) { // Action update $error = 0; - if ($action == 'settracking_number') { // Test on permission to add + if ($action == 'settracking_number') { // Test on permission already done $object->tracking_number = trim(GETPOST('tracking_number', 'alpha')); } - if ($action == 'settracking_url') { // Test on permission to add + if ($action == 'settracking_url') { // Test on permission already done $object->tracking_url = trim(GETPOST('tracking_url', 'restricthtml')); } - if ($action == 'settrueWeight') { // Test on permission to add + if ($action == 'settrueWeight') { // Test on permission already done $object->trueWeight = GETPOSTINT('trueWeight'); $object->weight_units = GETPOSTINT('weight_units'); } - if ($action == 'settrueWidth') { // Test on permission to add + if ($action == 'settrueWidth') { // Test on permission already done $object->trueWidth = GETPOSTINT('trueWidth'); } - if ($action == 'settrueHeight') { // Test on permission to add + if ($action == 'settrueHeight') { // Test on permission already done $object->trueHeight = GETPOSTINT('trueHeight'); $object->size_units = GETPOSTINT('size_units'); } - if ($action == 'settrueDepth') { // Test on permission to add + if ($action == 'settrueDepth') { // Test on permission already done $object->trueDepth = GETPOSTINT('trueDepth'); } - if ($action == 'setshipping_method_id') { // Test on permission to add + if ($action == 'setshipping_method_id') { // Test on permission already done $object->shipping_method_id = GETPOSTINT('shipping_method_id'); } diff --git a/htdocs/resource/element_resource.php b/htdocs/resource/element_resource.php index ddf80656fdf..4869d0298b2 100644 --- a/htdocs/resource/element_resource.php +++ b/htdocs/resource/element_resource.php @@ -108,6 +108,12 @@ if ($element == 'product' || $element == 'service') { // When RESOURCE_ON_PRODUC $result = restrictedArea($user, 'produit|service', $element_id, 'product&product', '', '', (string) $fieldtype); } +// TODO +//$permissiontoadd should be set according to $element +//$permissiontodelete should be set according to $element +$permissiontoadd = $user->hasRight('resource', 'write'); +$permissiontodelete = $user->hasRight('resource', 'delete'); + /* * Actions @@ -123,7 +129,7 @@ if (empty($reshook)) { $error = 0; $objstat = null; - if ($action == 'add_element_resource' && !$cancel) { + if ($action == 'add_element_resource' && !$cancel && $permissiontoadd) { // Test on permission already done in header before actions $res = 0; if (!($resource_id > 0)) { $error++; @@ -206,7 +212,7 @@ if (empty($reshook)) { } // Update resource - if ($action == 'update_linked_resource' && $user->hasRight('resource', 'write') && !$cancel) { + if ($action == 'update_linked_resource' && $permissiontoadd && !$cancel) { $res = $object->fetchElementResource($lineid); if ($res) { $object->busy = $busy; @@ -285,7 +291,7 @@ if (empty($reshook)) { } // Delete a resource linked to an element - if ($action == 'confirm_delete_linked_resource' && $user->hasRight('resource', 'delete') && $confirm === 'yes') { + if ($action == 'confirm_delete_linked_resource' && $permissiontodelete && $confirm === 'yes') { $res = $object->fetchElementResource($lineid); // to have correct object deleting resource if ($res) { $result = $object->objelement->delete_resource($lineid, ''); diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php index 1e4285fd696..43954066ecc 100644 --- a/htdocs/societe/card.php +++ b/htdocs/societe/card.php @@ -404,7 +404,7 @@ if (empty($reshook)) { $object->client = $prospectcustomer; $object->fournisseur = (GETPOSTINT('supplier') > 0 ? 1 : 0); - if ($action == 'add') { + if ($action == 'add') { // Test on permission already done // for prospect, customer or supplier if ($object->client > 0 || $object->fournisseur > 0) { $form = new Form($db); @@ -867,7 +867,7 @@ if (empty($reshook)) { $result = $object->setWarehouse(GETPOSTINT('fk_warehouse')); } - if ($action == 'confirm_clone' && $confirm != 'yes') { + if ($action == 'confirm_clone' && $confirm != 'yes') { // Test on permission not required here $action = ''; } //clone company essential info diff --git a/htdocs/societe/paymentmodes.php b/htdocs/societe/paymentmodes.php index 0437d0e581e..c229af69105 100644 --- a/htdocs/societe/paymentmodes.php +++ b/htdocs/societe/paymentmodes.php @@ -32,7 +32,6 @@ * \brief Tab of payment modes for the customer */ - // Load Dolibarr environment require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php'; @@ -648,7 +647,7 @@ if (empty($reshook)) { $tmpservice = 'StripeTest'; $tmpservicestatus = 0; - if ($action == 'setkey_account') { + if ($action == 'setkey_account') { // Test on permission not required $tmpservice = 'StripeLive'; $tmpservicestatus = 1; } @@ -657,7 +656,7 @@ if (empty($reshook)) { global $stripearrayofkeysbyenv; $tmpsite_account = $stripearrayofkeysbyenv[$tmpservicestatus]['publishable_key']; - if ($action == 'setkey_account') { + if ($action == 'setkey_account') { // Test on permission not required $newcu = GETPOST('key_account', 'alpha'); } else { $newcu = GETPOST('key_accounttest', 'alpha'); @@ -717,7 +716,7 @@ if (empty($reshook)) { $tmpservice = 'StripeTest'; $tmpservicestatus = 0; - if ($action == 'setkey_account_supplier') { + if ($action == 'setkey_account_supplier') { // Test on permission not required $tmpservice = 'StripeLive'; $tmpservicestatus = 1; } @@ -726,7 +725,7 @@ if (empty($reshook)) { global $stripearrayofkeysbyenv; $tmpsite_account = $stripearrayofkeysbyenv[$tmpservicestatus]['publishable_key']; - if ($action == 'setkey_account_supplier') { + if ($action == 'setkey_account_supplier') { // Test on permission not required $newsup = GETPOST('key_account_supplier', 'alpha'); } else { $newsup = GETPOST('key_account_suppliertest', 'alpha'); @@ -931,7 +930,7 @@ if ($socid && ($action == 'edit' || $action == 'editcard') && $permissiontoaddup print '
'; print ''; $actionforadd = 'update'; - if ($action == 'editcard') { + if ($action == 'editcard') { // Test on permission not required $actionforadd = 'updatecard'; } print ''; @@ -941,7 +940,7 @@ if ($socid && ($action == 'create' || $action == 'createcard') && $permissiontoa print ''; print ''; $actionforadd = 'add'; - if ($action == 'createcard') { + if ($action == 'createcard') { // Test on permission not required $actionforadd = 'addcard'; } print ''; diff --git a/htdocs/takepos/printbox.php b/htdocs/takepos/printbox.php index 0163cf6f5f1..59725aa2684 100644 --- a/htdocs/takepos/printbox.php +++ b/htdocs/takepos/printbox.php @@ -61,6 +61,13 @@ if (!$user->hasRight('takepos', 'run')) { } +/* + * Actions + */ + +// None + + /* * View */ diff --git a/htdocs/takepos/receipt.php b/htdocs/takepos/receipt.php index eadfd5cf497..a78403852cb 100644 --- a/htdocs/takepos/receipt.php +++ b/htdocs/takepos/receipt.php @@ -73,6 +73,12 @@ if (!$user->hasRight('takepos', 'run')) { accessforbidden(); } +/* + * Actions + */ + +// None + /* * View diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php index 6743e293960..6f5edc022b7 100644 --- a/htdocs/ticket/card.php +++ b/htdocs/ticket/card.php @@ -458,7 +458,7 @@ if (empty($reshook)) { if (($action == "confirm_close" || $action == "confirm_abandon") && GETPOST('confirm', 'alpha') == 'yes' && $permissiontoadd) { $object->fetch(GETPOSTINT('id'), '', GETPOST('track_id', 'alpha')); - if ($object->close($user, ($action == "confirm_abandon" ? 1 : 0))) { + if ($object->close($user, ($action == "confirm_abandon" ? 1 : 0))) { // Test on pemrission already done setEventMessages($langs->trans('TicketMarkedAsClosed'), null, 'mesgs'); $url = 'card.php?track_id=' . GETPOST('track_id', 'alpha'); diff --git a/htdocs/user/card.php b/htdocs/user/card.php index bafa0b4d415..fe108c3cddd 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -84,6 +84,7 @@ $confirm = GETPOST('confirm', 'alpha'); $group = GETPOSTINT("group", 3); $cancel = GETPOST('cancel', 'alpha'); $contextpage = GETPOST('contextpage', 'aZ') ? GETPOST('contextpage', 'aZ') : 'usercard'; // To manage different context of search +$backtopage = GETPOST('backtopage'); if (empty($id) && $action != 'add' && $action != 'create') { $id = $user->id; @@ -710,7 +711,7 @@ if (empty($reshook)) { setEventMessages($langs->trans("ErrorFailedToSetNewPassword"), null, 'errors'); } else { // Success - if ($action == 'confirm_passwordsend' && $confirm == 'yes') { + if ($action == 'confirm_passwordsend' && $confirm == 'yes') { // Test on permission already done if ($object->send_password($user, $newpassword) > 0) { setEventMessages($langs->trans("PasswordChangedAndSentTo", $object->email), null, 'mesgs'); } else { @@ -786,7 +787,7 @@ if (empty($reshook)) { } } - if ($action == 'confirm_clone' && $confirm != 'yes') { + if ($action == 'confirm_clone' && $confirm != 'yes') { // Test on permission not required $action = ''; } if ($action == 'confirm_clone' && $confirm == 'yes' && $permissiontocloneuser) { @@ -1633,9 +1634,7 @@ if ($action == 'create' || $action == 'adduserldap') { } - /* - * View mode - */ + // View mode if ($action != 'edit') { print dol_get_fiche_head($head, 'user', $title, -1, 'user', 0, '', '', 0, '', 1); diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 36638715b44..ca65d3e6e9f 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -708,27 +708,43 @@ class CodingPhpTest extends CommonClassTest // Get the part of string to use for analysis $reg = array(); - if (preg_match('/\*\s+Action(.*)\*\s+View/ims', $filecontentorigin, $reg)) { + if (preg_match('/\*\s+Action(.*)\*\s+View/ims', $filecontentorigin, $reg)) { // search '* Action... * View' $filecontentaction = $reg[1]; } else { $filecontentaction = $filecontent; } - preg_match_all('/if.*\$action\s*==\s*[\'"][a-z\-_]+[\'"].*$/si', $filecontentaction, $matches, PREG_SET_ORDER); + // Uncomment this for a scan on one given file + // if ($file['fullname'] != '/home/ldestailleur/git/dolibarr_22.0/htdocs/holiday/card.php') return; + // if ($file['fullname'] != '/home/ldestailleur/git/dolibarr_22.0/htdocs/bom/bom_card.php') return; + + /* + $filecontentaction = <<<'EOT' + Note that $action and $object may have been modified by some hooks + + if ($action == 'add' && $permissiontoadd) { + // aaa + + EOT; + */ + //var_dump($filecontentaction); + preg_match_all('/if\s[^\n\r]+\$action\s*==\s*[\'"][a-z\-_]+[\'"].*$/mi', $filecontentaction, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { if (!preg_match('/\$user->hasR/', $val[0]) && !preg_match('/\$permission/', $val[0]) && !preg_match('/\$permto/', $val[0]) && !preg_match('/\$usercan/', $val[0]) + && !preg_match('/\$candelete/', $val[0]) && !preg_match('/\$canedit/', $val[0]) && !preg_match('/\$user->admin/', $val[0]) + && !preg_match('/\->getRights\(\)->/', $val[0]) && !preg_match('/already done/i', $val[0]) && !preg_match('/done later/i', $val[0]) && !preg_match('/not required/i', $val[0])) { $ok = false; - //var_dump($file['fullname'].' '.$filecontentaction);exit; + var_dump($file['fullname'].' '.$val[0].' '.$filecontentaction);exit; print "File ".$file['relativename']." - Line: ".$val[0]."\n"; break;